Cybersecurity's Venture Capital and Private Equity Money-go-Round

Access to Money at the Right Time is Essential for Cybersecurity Firms Given the Volatility of the Market

Security firms bought by and consumed within larger firms can easily lose their way. It happened with McAfee, bought by Intel in 2010 for $7.68 billion, and extracted with a 51% purchase by private equity (PE) firm TPG in April 2017. The extraction valued McAfee at only $4.2 billion.

McAfee will be hoping that it can emulate SonicWall -- which also lost its way after being bought by Dell (from Thoma Bravo) in 2012. In the summer of 2016, Francisco Partners and Elliott Management extracted SonicWall (along with Quest Software) for a price reported by Reuters to around $2 billion. Thoma Bravo did not disclose the price Dell paid for SonicWall, but the Wall Street Journal suggested it was $1.2 billion.

Dell acquired Quest Software for $2.4 billion in 2012 -- making the combined cost of the two firms somewhere in the region of $3.6 billion. In short, the two firms together fell in value from $3.6 billion to just $2 billion in the five years they spent as part of Dell.

Since then, SonicWall has been turned around under PE guidance and the stewardship of CEO Bill Conner. A little over a year after purchasing the two firms, Francisco Partners announced that it had completed a $2 billion debt refinancing, due to the strong operating performance of the firms. The refinancing was significantly oversubscribed, it reduces the operating overheads of the firms, and positions them nicely for further growth.

Access to money at the right time (and a few other things like the right management team) is essential for cybersecurity firms given the volatility of the market in both emerging start-ups and changing technology. This means that finding the right backers and understanding the investment market could be fundamental to the prospects of almost any cybersecurity firm. Excluding the unknown potential of the new small-scale crowdfunding options, there are three primary sources of serious money: angel investment, venture capital (VC) and private equity (PE).

'Angels' tend to be individuals -- or possibly collections of individuals -- who invest their own money in promising ideas. They are often important in getting a new company started; but do not normally have sufficient funds to take a growing company to the next level.

That next level of funding generally comes from venture capital (VC). VC funds "like Paladin, Amadeus and others step in to provide capital to entrepreneurs just after their angel or ‘proof of concept' phase of funding," explains Nazo Moosa. Moosa this year formed a new European VC firm called VT Partners, with the express purpose of injecting U.S.-style funding and growth into the under-performing European cybersecurity company market.

The key point for VC is that it funds new companies with new ideas. At this stage they are promising rather than proven; some will succeed, many will fail. Because of the additional risk to the investors, VC money is invested at high interest rates. This is the biggest problem area for the cybersecurity industry -- because of the high interest rates, returns need to be made relatively fast, and/or additional investment found. A company's value is often based on the number of its users, so sales can in many cases be more important than further product development.

Of course, not all VC firms are there just for a quick return. Dan Schiappa, Sophos SVP and GM, explains, "The top echelon investors are not in it for the quick turnaround, but instead they are long-term investors that will add value to a management team and towards building a long term viable company." But he adds, "VCs who look to build a company for acquisition from the get-go are the ones to avoid, as they may drive behaviors that are not beneficial to customers or product quality."

The problem is that cybersecurity attracts both types of VC money, simply because it is hot. "Everybody is under attack all of the time," comments Conner "from other countries, cybercriminals, and hacktivists. So it's a hot area and hot areas tend to attract a lot of opportunity and a lot of money. From that there are a lot of start-ups with new 'silver bullets' that attract VC."

Schiappa believes there is a common cycle for new security companies. Initial idea and development is followed by VC investment. The money enables strong marketing, which effectively makes or breaks the business depending on the inherent strength of the initial product.

"At the end of the day," Schiappa explains, "much of the problem is that tech entrepreneurs follow the logic of getting product out as quickly as possible and gaining feedback. While in some circumstances that is a good and viable strategy, in others, it produces low quality products, that may be innovative, but are not suitable to build a scalable business. Startups get hyped, their innovation gets adopted; but then -- when they hit a scale that goes beyond the business or the product -- they enter the trough of sorrow, where investment is needed to build the product properly. During this period of time, you usually see a pickup in marketing in order to keep the momentum going. It can takes years for a company to exit the trough with the quality product and business operations to scale to a legitimate business."

The problem for the cybersecurity industry is that new ideas do not often have 'years' to spare; they are constantly being supplanted by new and different ideas and technology.

"The hype cycle is where a startup can make it or break it," he continues. "If they are building quality products during the hype cycle, they will withstand the scale and not enter the trough, or enter it very briefly. Those who ship a product that is barely more than a prototype are destined for disaster."

Some VC investors collude in this cycle by insufficiently understanding cybersecurity. "There is a lot of money at play in the security space," warns Conner, "because it's such an interesting area, and an area that's not going to go away -- and there's also a lot of money that doesn't really understand security. It's not necessarily dumb money, but it's at risk in this space."

A good VC is not just a money lender -- it's a mentor who, adds Schiappa, "will guide the company properly and even provide technical advisers who can ensure that the product is built with production quality."

Company founders and private investors usually have one common long-term aim -- to maximize a return on their time and capital. There are three primary routes: sale to a larger company; going public and raising money on a stock exchange; and attracting the next level of private investment. The next level is 'private equity'. It is 'big money' that generally becomes available to companies that have been through the early growth phases of venture capital and have demonstrated the potential for future growth.

PE differs from VC in two primary ways: firstly there is generally more money available than there is in VC; and secondly, PE usually seeks to take a greater stake in the company -- if not actual ownership -- rather than simply investing in it. "PE firms tend to take on more ownership and liability of a company, "comments Nathan Wenzler, chief security strategist, AsTech Consulting, "and so, they tend to have a stronger motivation to invest in the long term viability of it."

In this way, private equity firms play a different role in the evolution of a company. A PE firm looks for demonstrable potential. It is not interested in firms that have maxed their potential, but in firms that are perhaps slightly under-performing.

"They tend," explains Schiappa, "to acquire a company that has been an established vendor, has meaningful billings and revenues, but might not be operating at its full potential." SonicWall and McAfee both fit this bill. By improving performance, the PE firm will be able to gain its own return through one of two exit strategies: sale to a big security firm (or a larger PE firm); or going public. Unlike the majority of VC firms, PE tends to take a longer term view of the growth of its investment.

One method of improving performance -- beyond simply injecting capital -- is to strengthen the management team. A PE firm, says Schiappa, will "typically bring in professional leaders to guide the company to the public markets or to a larger exit. The PE firm is definitely investing with an exit in mind and their goal is to build value in the asset towards meeting that need. In most cases it is always beneficial to the company and their strategy and operations."

When Francisco Partners acquired SonicWall from Dell, it was because SonicWall was losing its way despite having proven product, and therefor potential. "What Francisco Partners saw," explains Conner, "was a multiple $100m dollar company where the revenue was going down. It was losing money, but some of us -- and that included myself -- knew that the company had been growing before and made money before; both when it was private and public. So we knew it just needed to get restructured, or rebuilt and refocused -- which is what I've done over the last years."

The first thing the PE company did was to bring in Bill Conner as the new CEO. Conner already had successful experience in working with a PE firm, having taken Entrust through its four-year period with Thoma Bravo to its sale to the Datacard Group in 2013; for what he says was six and a half times the PE firm's original investment.

This is the cybersecurity money-go-round. VC firms look for the next silver bullet that could give the investors a high return over a short period. It tends to be new technology or an innovative idea; but there is no company track record. The risks are higher, so the cost of the money is more expensive. This can lead to increased pressure on the company to grow as fast as possible. If that growth can be sustained, the company will succeed; if it cannot, it will fail.

If the company succeeds, it can then become a target for private equity investment. That company now has a track record, but PE is looking for the potential for even greater growth through a combination of additional funds and perhaps improved leadership. There are, and there always will be, casualties -- both in silver bullet companies that prove to lack luster, and buyers of those products. During the hype phase of VC, users can be persuaded to buy a product that under-performs and ultimately fails -- and that could prove costly to the user beyond the price of the product. The PE phase is more stable. PE firms are confident that the product is good and the market is strong.

Overall, the system works. By far the majority of big cybersecurity firms are U.S.-based, with only a handful of European firms reaching a similar scale. It is no coincidence that the U.S. has five times the venture funding as that of Europe. But to use the system profitably, new companies need to choose the right VC investment in their early years. Cybersecurity firms should examine the track record of VC firms just as closely as PE firms examine the track record of the cybersecurity firms.

Incidentally, Dell, which first bought SonicWall and then sold it to PE firms Francisco Partners and Elliott Management, has its own investments history. It started in 1984 with Michael Dell building and selling personal computers while he was a student at the University of Texas at Austin, using $1,000 capital provided by his family. As he proved his worth, his family increased their 'investment' to a loan of $500,000, similar to early stage 'angel' investments.

As his firm grew, Dell did not proceed to the venture capital stage. Instead, he hired a retired merchant banker and venture capitalist, Lee Walker, as president and CEO. Walker helped secure the firm's first serious credit -- a bank's line of credit for $10 million. Dell also skipped the private equity stage, and raised capital in a private placement in 1987 and went public via an initial public offering in 1988. Michel Dell retained a significant position in the company, but no longer had personal control.

During the 1990s, the company continued to prosper, but started to suffer from the increasing commoditization of personal computers after 2000, and the later effect of mobile devices on the PC market. Dell's market dominance declined -- but in 2013 Dell announced that Michael Dell and Silver Lake Partners, together with a $2 billion loan from Microsoft, would take the company private in a $24.4 billion leveraged buyout deal. In essence, Michael Dell used private equity to escape from public ownership rather than the more usual route of using it to prepare for public ownership.

It was the PE-backed Dell that announced the purchase of EMC for $67 billion in October 2015, completing the deal in September 2016. The combined companies became Dell Technologies, the world's largest privately controlled integrated technology company, which also includes security industry pioneeer RSA.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.